Enterprise Risk Management

What is ERM?

The management of risk across the whole organization with every function evaluating its risk on a regular and consistent basis.

…. a process, effected by management, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the company, and manage risks to be within its risk appetite, to provide reasonable assurance regarding achievement of company objectives.

Why ERM is important?

Respond in a manner that reduces the likelihood of downside outcomes and increase the upside.

Problem with Risk

Risk are rarely managed well enough

Many critical risks are not identified at all.

Surprises recur too frequently.

Risks tend not to be well recorded.

Risks are seen as problems not opportunities.

Risk Management is not regarded as a business process.

LINK BSC and ERM

Risk Category by Robert S. Kaplan and Anette Mikes

Category I: Preventable Risks.

These are internal risks, arising from within the organization, that are controllable and ought to be eliminated or avoided. Examples are the risks from employees’ and managers’ unauthorized, illegal, unethical, incorrect, or inappropriate actions and the risks from breakdowns in routine operational processes.

Category II: Strategy Risks. A company voluntarily accepts some risk in order to generate superior returns from its strategy. Strategy risks are quite different from preventable risks because they are not inherently undesirable. A strategy with high expected returns generally requires the company to take on significant risks, and managing those risks is a key driver in capturing the potential gains. CNOOC accept the high risks of drilling several miles below the surface because of the high value of the oil and gas.

Category III: External Risks. Some risks arise from events outside the company and are beyond its influence or control. Sources of these risks include natural and political disasters and major macroeconomic shifts. External risks require yet another approach. Because companies cannot prevent such events from occurring, their management must focus on identification (they tend to be obvious in hindsight) and mitigation of their impact.